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Summary: For the past 2 years, Harris Corporation has 
been conducting research for the Air Force Research 
Laboratory under the Network Visualization Tool (NVT) 
Program. The NVT concept defines a knowledge solici- 
tation and translation framework for risk assessment. 
This framework incorporates a graphical description of a 
network topology, a central repository of modeling data, 
and report consolidation from, multiple risk/vulnerability 
assessment tools into a single vulnerability assessment. 
Results are presented to a system user through a compre- 
hensible, graphical interface. The goal of this effort is to 
investigate the feasibility of developing such a frame- 
work for a graphical risk analysis environment that can 
accommodate both existing and new risk analysis tech- 
niques. 

The result of the NVT Program is an initial vulner- 
ability visualization and assessment environment, con- 
solidating multi-source output into a cohesive capability 
with an open, a standards-based architecture. The initial 
NVT proof-of-concept prototype has been completed. 
This paper describes the NVT architecture, its compo- 
nents, important architecture features, benefits of the 
NVT approach, and potential future enhancements. 

I. INTRODUCTION 

Next generation information systems and infrastruc- 
tures apply the concept of acceptable risk to vulnerability 
assessment and coalition, information sharing. In this 
environment, the security features of the system architec- 
ture are considered sufficient protection for the mission 
and any supporting data processed. In previous genera- 
tions of systems, a risk adverse vulnerability posture 
dictated custom hardware and software solutions and 
minimal coalition data interchange. Today, the rapid 
evolution of technology and the proliferation of comput- 
ing power mandate the use of commodity Commercial- 
Off-The-Shelf (COTS) hardware and software compo- 
nents for cost effective solutions. This strong depend- 
ence on COTS implies that commercial grade security 
mechanisms are sufficient for most applications. Secu- 
rity architectures, therefore, must be structured to support 



building security architectures with relatively weak 
COTS components. Higher assurance security compo- 
nents are placed at community or information bounda- 
ries, forming an enclave-based security architecture that 
implements a defense-in-depth approach, to information 
assurance. 

There are few system architecture design tools 
available to analyze architecture alternatives. Security 
risk, system performance, and mission functionality must 
be balanced while accommodating budgetary constraints. 
Current generation risk analysis tools usually provide 
single vendor solutions that address a particular aspects 
of risk, but are not easily expanded to address emerging 
technologies and their vulnerabilities. These tools tend 
to fall into one of three categories: 

1 . Tools using documented vulnerability databases and 
possibly repairing known vulnerabilities. Tools of 
this type are vendor-dependent for database updates, 
either through new product versions or by a sub- 
scription service. Examples of tools in this category 
are Internet Security System's (ISS) Security Scan- 
ner and Network Associates Inc.*s CyberCop. 

2. Monolithic tools using various parameters to calcu- 
late a risk indicator. These tools are difficult to 
maintain and harder to keep current in the rapidly 
evolving threat and technology environment. An 
example of this tool category is the Los Alamas 
Vulnerability Assessment Tool (LAVA). 

3. Tools examining a particular aspect of the system, 
such as the operating system or database manage- 
ment system, but ignoring other aspects of the sys- 
tem. SATAN, for example, analyzes operating sys- 
tem vulnerabilities but ignores infrastructure com- 
ponents such as routers and switches. 

None of these tools implement an aggregate security 
snapshot approach to the system, with a "drill down" or 
layered approach to facilitate addressing risk at various 
layers (network, platform, database, etc.) of the system. 
They provide little assistance to system designers when 
analyzing alternatives among security risk, system per- 
formance and mission functionality, instead providing a 
"risk solution" addressing the particular aspect of risk 
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that a given tool was designed to address. To develop a 
comprehensive risk picture, a tool user would have to 
become proficient in the use of several tools, and manu- 
ally correlate the resulting outputs. 

Risk analysis is the assessment of the potential sys- 
tem vulnerabilities that may give rise to a security viola- 
tion. An essential criterion for successful risk analysis is 
complete and accurate data for the generation of the sys- 
tem models used by the analysis tools. Most of the cur- 
rent risk analysis tools rely on surveys filled out by users, 
system operations personnel, and analysts to acquire the 
data for development of the system model. Alterna- 
tively, active network scanning may be used to test vari- 
ous vulnerabilities against system components. Textual 
or survey-based knowledge solicitation techniques are 
labor intensive and potentially tedious for the analyst. 
Many of the existing tools reuse the same information to 
analyze different aspects of the system security. 

A centralized repository of system modeling data 
could provide a basis for shared inputs among existing 
tools. This repository could generate data sets for use by 
risk analysis tools, allowing multiple tools to be executed 
against the same system without separate input activities, 
and reducing the possibility of operator error. The use of 
multiple risk tools for backend analysis would allow 
various aspects of the system to be analyzed without the 
cost of developing one tool to perform all types of analy- 
sis. Integration of the information and the resulting in- 
formed assessments made available through multiple tool 
analyses could produce a more robust and accurate pic- 
ture of a system's vulnerability posture. By providing an 
easier framework for alternative evaluation and compari- 
son, these results could facilitate more informed system 
design decisions. 

The Network Visualization Tool (NVT) Program 
explored the feasibility of defining a shared data reposi- 
tory for risk assessment information. The results of our 
research included a vulnerability analysis tool frame- 
work, a working proof of concept of the architecture, and 
an innovative application of data fusion technologies to 
the risk analysis environment. This paper describes the 
progress and results of the NVT Program. 

II. SYSTEM OVERVIEW 

Under the Network Visualization Tool program, 
Harris Corporation defined and developed an innovative 
and unique vulnerability assessment framework. This 
framework, the NVT system architecture, can accommo- 
date changes to the threat and the technology environ- 
ments and preserve the results from current risk analysis 
tools. The goal of this effort is to research, develop, test, 
and demonstrate an engineering prototype for a system 
vulnerability assessment framework that helps system 
architects identify security vulnerabilities and develop 
cost-effective countermeasures. 

NVT provides a flexible, extensible, and maintain- 
able architecture solution. The NVT prototype isolates 



factual information about a system from the reporting 
and processing capabilities of individual vulnerability 
assessment tools. No single vulnerability assessment 
tool can adequately address all components of a compre- 
hensive system architecture. A monolithic assessment 
system is difficult to evolve with the dynamic nature of 
threat and technology. NVT allows multiple tools to 
share data and provides a concise, understandable report 
to the system user. Our objective was to develop a pro- 
totype system security engineering tool that: 
o Functions as a design tool to identify vulnerabilities 
in an architecture before the architecture is built and 
help enforce good security design principles 
o "Snapshots" a system and its vulnerabilities, and 
compares how risk evolves over the system life cy- 
cle 

© Applies static vulnerability databases from a variety 
of sources 

o Applies legacy risk analysis tools and threat models 
o Correlates information from various risk mod- 
els/tools into a more comprehensible picture of the 
system's vulnerabilities 
o Allows what-if analysis to facilitate comparative 
analysis among security, functionality, performance, 
and availability 
o Provides an easy to use capability to specify the se- 
curity relevant characteristics of a system design 
o Our vision of a system security engineering tool that 
facilitates system vulnerability assessment incorpo- 
rates a single, graphical representation of a system. 
This system representation is provided to multiple 
risk/vulnerability assessment tools and vulnerability 
data or knowledge bases, resulting in a single 
source, consolidated input system model for multi- 
ple tools. The NVT prototype integrates and 
interactively applies multiple existing risk 
assessment technologies. A Fuzzy Expert System 
applies the unique correlation technology of 
FuzzyFusion™ to combine the results from the 
various tools into a single, clear, cohesive 
vulnerability assessment report. The . concept is 
HTheMteTI prcEcgypc Is implemented on an Intel Pen- 
tium PC platform running Windows NT. This platform 
was selected as a low cost solution supporting a large 
variety of assessment tools. The initial tool suite em- 
ploys a number of COTS/GOTS capabilities including: 
o HP Open View, for network automatic discovery or 

manual network modeling, 
o ANSSR, a Government-Off-The-Shelf (GOTS) net- 
work system analysis tool developed by MITRE, 
o RAM, NSA's risk assessment methodology, imple- 
mented in the DPL-F decision support programming 
language. 

o Internet Security Systems Internet Scanner, a scan- 
ning vulnerability tool suite. 



2 



Report 
Options 



Analysis 
and 

Integration 



System 
Picture 



Data Sources 




Otfier 
Tools 



Implemented 



Future Development 



Figure 1. — The NVT Vulnerability Assessment Tool Architecture Concept. 



IL1 System Architecture Data Entry 

NVT is based on the concept of a knowledge solici- 
tation framework that incorporates a graphical descrip- 
tion of a network topology. This topology is used for 
capture of network attributes, and is subsequently ana- 
lyzed for security vulnerabilities. The knowledge solici- 
tation portion of NVT applies modern network discovery 
capabilities and a graphical user interface. This im- 
proves the accuracy of the network model, provides a 
common network description for multiple risk analysis 
reasoning engines, and enhances the productivity of the 
system security analyst. 

The NVT prototype automatically maps an existing 
network, or can be used for the manual entry of a net- 
work design. The prototype uses HP OpenView to 
graphically depict a network topology. As illustrated in 
Figure 2, once it has been given the IP address of the 
default router for the network, NVT, through the use of 
OpenView, can search for computers and other devices 
attached to the network. It performs an active search, 
pinging possible IP addresses on the network, and adding 
whatever response information it receives to its network 
map. NVT also provides, through OpenView, a manual 
method to draw a proposed network with a graphical user 
interface that supports drag and drop, as illustrated in 
Figure 3. 

Through this interface, a System Security Engineer 
can rapidly define a given system architecture, including 
the security critical information. For example: 

• A user can apply the manual entry capability to con- 
sider alternative designs as part of a trade study. 

• A user may edit the properties of each node, provid- 
ing additional details as required to provide com- 
plete logical network planning. 



• A user can also represent an entire network on a map 
by using a subnetwork icon. A detailed map of the 
subnetwork can be linked to this icon and displayed 
by double clicking on the icon. 

Once the system description has been completed, the 
NVT prototype represents and stores the description in 
an object/class hierarchy. This single topological model 
supports the information needs of multiple vulnerability 
assessment tools, as well as the FuzzyFusion™ of their 
results into a cohesive risk assessment. NVT translates 
this system representation into the appropriate format for 
each of the assessment tools employed. This single ob- 
ject representation of the system simplifies the use of 
multiple tools, eliminating redundant data entry. It also 
provides the foundation for addressing the problem of 
incomplete data for a given vulnerability assessment 
tool, and for future knowledge negotiation capabilities to 
correct data inconsistencies. 

IL2 Risk Analysis Tool Selection . 

Under the NVT Program, Harris surveyed current COTS, 
GOTS and research vulnerability assessment and reason- 
ing tools to determine their capabilities and availability. 
Tools were categorized by the types of vulnerabilities 
assessed, and their functional characteristics. Each tool 
was further evaluated on its data acquisition and output 
formats to determine how the information can be applied 
in the NVT engineering prototype implementation. The 
primary criteria were the operating system required by 
the tool, the capability of the tool to assess network envi- 
ronments, the data gathering methods used by the tool, 
and the risk types assessed by the tool. The vulnerability 
assessment and reasoning tools selected had to be able to 
execute in the NVT prototype's operational environment 
(a PC with Windows NT). 
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Figure 2. HP Open View 's Network Discovery Tools enable NVT users to map an Existing Network for Fur- 
ther Security Analysis 




A primary purpose of the NVT prototype was the 
demonstration of a framework with the flexibility to in- 
tegrate and interactively use multiple existing vulnerabil- 
ity assessment and reasoning technologies. In order to 
demonstrate the proof of concept of integrating and in- 
teractively using multiple existing vulnerability assess- 



ment and reasoning technologies within program restric- 
tions, a representative sample of tools was selected for 
inclusion in NVT. As a result of the tool survey, 
ANSSR, RAM, and ISS Internet Scanner were selected 
for inclusion in NVT. These three tools met the project 
requirements and provided the greatest diversity of func- 



4 



tional capabilities, as shown in Table 1, The Selected 
Tools' Capabilities Summary. The selected tools repre- 
sented the greatest diversity of reasoning characteristics 
with the lowest number of expected integration risks. 

The MITRE Corporation's Analysis of Networked 
Systems Security Risks (ANSSR) prototype is a risk 
analysis tool which simulates attacks on information 
systems and communications between them that result in 
unauthorized disclosure of sensitive information. These 
simulated attacks, or' threat scenarios, can be initiated by 
different types of attackers, including insider threats as 
well as those coming from outside an intranetwork . 
ANSSR compares the risk-reducing effects of different 
sets of safeguards in light of a given security concept of 
operations. Safeguards include computer security 
(COMPUSEC) features and assurances, commimications 
security (COMSEC) controls, emanations protection, 
physical security, and procedural controls. ANSSR ex- 
plicitly analyzes risks due to networking. ANSSR 2.2 
includes simulated passive and active wiretap attacks as 
well as attacks in which an attacker, logged on at one 
system, exploits that system's connectivity to other sys- 
tems to attack them. ANSSR can also be applied to a 
stand-alone system. An analyst can enter or reuse a 
baseline system description, then ask ANSSR to develop 
all possible scenarios against the baseline system. Sin- 
gle-scenario risks are aggregated into a bottom-line risk 
of all possible scenarios. ANSSR is intended primarily 
for use during the requirements definition phase, but can 
also be used to guide the risk analysis performed to sup- 
port accreditation. 

Internet Security Systems' (ISS) Internet Scanner is 
a fast, comprehensive and proactive Windows NT and 
UNIX network security scanner. It is a vulnerability 
assessment product that analyzes the security of devices 
on an enterprise-wide network. It has 30 predefined re- 
ports that are used to collect the information needed to 
make security policy decisions. Internet Scanner per- 
forms a variety of vulnerability detection, ranging from 
information-gleaning exercises to finding vulnerabilities. 



It finds vulnerabilities much as an intruder would - by 
examining a network's devices, services, and interrela- 
tionships. Internet Scanner provides detailed information 
about all vulnerabilities detected, including the vulner- 
able host, description, and corrective actions. It also 
provides illustrated management and trends analysis re- 
ports. Internet Scanner can be used on all TCP/IP-based 
networks - networks connected to the Internet as well as 
stand-alone networks and machines. 

NSA's Risk Analysis Model (RAM) is a methodol- 
ogy to help balance an acceptable risk profile. RAM is a 
flexible methodology, utilizing event trees and a func- 
tional probabilistic decomposition of a problem. It 
moves the risk assessment process from a qualitative 
discipline to quantitative discipline. Users identify the 
probabilities of various events, and RAM aggregates the 
probabilities, as well as addressing vulnerabilities over 
time. RAM is an analytic methodology that enables 
analysis of risk for decision trade-offs. It allows for sen- 
sitivity analysis, and identifies the weakest links of a 
system. RAM has been incorporated into a COTS tool, 
the DPL-f programming language for decision support, 
developed by Applied Decision Analysis LLC, a wholly 
owned subsidiary of Price Waterhouse Coopers Ltd. 

DPL (Decision Programming Language) is a deci- 
sion support software package that facilitates the model- 
ing of complex decisions. It allows a user to incorporate 
uncertainty and flexibility into the decision process. 
DPL provides a graphical interface for building a model, 
and performs a variety of analyses on the model. DPL-f 
contains all of the functionality built into DPL. In addi- 
tion, DPL-f provides a graphic interface for fault tree 
construction. This feature allows the modeler to create 
fault trees and incorporate them into DPL models. DPL- 
f contains some unique analytic tools as well. These 
include the ability to calculate explicitly the probability 
of any event in the tree and to perform fault tree-specific 
types of sensitivity analysis. DPL-f provides an interface 
for incorporating time series into a model. This allows 
the modeler to account for devaluation, capital 



Table L The Selected Tools' Capabilities Summary 


Selected Tool 


Functional Capabilities 


ANSSR 

(Analysis of Networked Systems 
Security Risks) 
MITRE Corporation 


Passive data gathering 

- Model structure 

- Survey based data gathering 

- Network aware 


Risk Type 

- Single Occurrence of Loss 


RAM 

(Risk Assessment Model) 
NSA 


Passive data gathering 

- Event tree 

- Prioritized attack list 
Risk Type 

- Mathematical model 

- Multiple risks/services 

- Event based over time 


Extensible to Risk Type 

- Comparison of effectiveness of dif- 

ferent designs 

- Not limited to computers/networks 

- Optimization of system/cost benefit 
analysis 


ISS Internet Scanner 

Internet Security Systems (ISS) 
Corporation 


Active data gathering 

- Scans network for hosts, servers, fire- 
walls, and routers 

- Assesses security and policy compli- 
ance of networks, operating systems, 
and software applications 


Risk Type 

- Computer Network Compliance Re- 
port (snapshot in time) 
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growth, or other rime-varying quantities without chang- 
ing the structure of the model. DPL-f provides RAM 
with additional capabilities for rapid fault tree construc- 
tion, libraries of embedded fault trees, an expert opinion 
generation system, enumeration and ordering of cut sets, 
and a graphical portrayal of risk over time. 

II.3 Output Report Correlation and Generation 

None of the above tools take an aggregate snapshot 
approach to the system, with a "drill down" or layered 
approach to address risk at various layers (network, plat- 
form, database, etc.) of the system. Using multiple risk 
analysis tools would allow various aspects of the system 
to be analyzed for vulnerabilities without the cost of de- 
veloping one tool to perform all types of analysis. To 
provide a more comprehensive vulnerability assessment 
of a system than any one tool could provide, the outputs 
of the various tools must be integrated and fused into a 
single, concise report. This provides greater assistance 
to system designers analyzing alternatives among secu- 
rity risk, system performance, and mission functionality. 

_ Under the NVT. effort, Harris investigated technolo- 
gies that would support our goal of integrating and fusing 
the results from multiple vulnerability analysis applica- 
tions. By examining the variety of current COTS and 
GOTS products, and the variety of inputs and outputs 
those products require, it became apparent that fuzzy 
decision technology offered the most flexible solution to 
our problem. Our focus on fuzzy decision methodolo- 
gies as our technological foundation was based on an 
analysis of a variety of technologies, including Expert 
Systems, Databases Systems, Neural Networks, Fuzzy 
Logic, and Fuzzy Expert Systems. Fuzzy Expert Sys- 
tems are based on the premise that multi-criteria, multi- 
expert 



decision making can lead to a best-fit answer. The pri- 
mary benefit of a fuzzy reasoning system is its ability to 
use and assimilate knowledge from multiple sources. 
We believe that Fuzzy Expert System technology is most 
applicable to the NVT architecture because: 

• At least one expert exists for each tool that we wish 
to include in the system 

• The problem itself is fuzzy; it has ambiguities and 
often partial information 

• We can incrementally learn and apply new tech- 
nologies as the system grows 

• We believe we can identify valid membership func- 
tions for the mapping of data to concept and concept 
to knowledge 

NVT performs FuzzyFusion™ to combine the results 
of multiple vulnerability assessment/risk analysis tools 
into a unified report. The FuzzyFusion™ is accom- 
plished through the use of a Fuzzy Expert System, which 
combines the outputs of the various tools, user concerns 
about system risks and vulnerabilities, and expert under- 
standing of the results of each tool and how these fit into 
the larger information system security picture. 

Output of the concise assessment can be provided to 
the NVT user through multiple means and in various 
degrees of detail, as illustrated in Figure 4. The graphi- 
cal network map of a system can be color-coded to pro- 
vide a visual indication of where the greatest risks are 
located. In Figure 5, the node with the greatest associ- 
ated risk is colored red. Less severe risks are colored 
yellow. A pop-up slider window can also be used to 
indicate the top N risks, and their severity. Further de- 
tails, such as text reports and spreadsheet analyses, can 
be accessed by drilling down through the layers of in- 
formation. 
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Figure 4. NVT leverages Existing Vulnerability Assessment Tools to present a Single Cohesive Risk Picture 
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III. FEATURES AND BENEFITS 
OF NVT 

The result of the NVT Program is a prototype dem- 
onstrating a comprehensive vulnerability profile based 
on the user's defined acceptable risk of compromise to a 
given system. End users have a simple expression of the 
vulnerability posture of a given system or system design, 
and are capable of performing "what if* analysis for 
functionality, performance, and countermeasure trades. 

The primary advantage of the NVT prototype is that 
it provides a flexible, modular, extensible approach to 
vulnerability assessment. This innovative design ac- 
commodates multiple risk assessment techniques, but 
only requires single entry of the system description 
(through auto discovery or manual entry of a model), 
which is a significant benefit to the System Security En- 
gineer. Figure 5 illustrates the NVT interface to ANSSR. 
In stand-alone use, ANSSR uses a character based GUI 
. for user data input. As the number of windows and 
menus suggests, entry of information into the tool is a 
manually intensive exercise. One of the benefits of NVT 
is that it automatically provides the required system in- 
formation to the various vulnerability assessment tools, 
allowing each tool to use only the input data it requires. 
NVT eliminates the labor-intensive methods associated 
with using the legacy assessment tools while preserving 
the existing user investment in legacy methodologies. 
NVT also provides a mechanism to correlate information 
among several tools. Information solicited from the user 
for any single tool is shared among all tools. Legacy 
vulnerability assessment tools and databases can be re- 



used, and their results used in conjunction with alternate 
risk models. 

NVT was designed to be an affordable vulnerability 
assessment environment. Many monolithic risk asses- 
ment tools require high performance Unix platforms and 
cost over $40,000 per copy. The NVT prototype was 
developed on a Windows NT-based Pentium platform. 
Our initial tool suite reflects a desire to be economical 
and pragmatic in tool selection. Three COTS/GOTS 
vulnerability assessment tools are incorporated into the 
framework: ANSSR, RAM, and ISS Internet Scanner. 
Costs for the runtime licenses of COTS products cur- 
rently employed within the NVT prototype along with a 
suitable NT workstation are approximately $12,000. 

The modular, extensible system design for NVT en- 
sures ease of : technology transition and integration as 
new vulnerability tools and technology vulnerabilities 
come to market. Our estimate for the incorporation of 
new tools into the NVT environment is approximately 
eighty hours of engineering integration. This modularity 
preserves user legacy models and tool investments, al- 
lowing each, user to select the tools most appropriate for 
his environment and needs. 

IV. COMPARISON WITH 
OTHER WORK 

To the best of our knowledge, no current risk as- 
sessment tool environment is designed as an integrable 
architecture. Most tools on the market today either per- 
form real time, active scanning analysis of a single node 
within a network, or ask for user input on the network 
system and its physical environment. Each of these 
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Figure 5. Entering System Information into the Interface for ANSSR is a Manually Intensive Process 
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techniques is valuable for a particular class of problems. 
However, the ability to accommodate new protocols, 
vulnerabilities, and classes of devices within a single risk 
assessment framework is extremely valuable. NVT also 
provides a comprehensive graphical output capability 
that consolidates multiple tool outputs into a cohesive 
system risk profile. NVT was designed to make risk 
assessment a feasible, comprehensible activity without 
requiring the user to develop comprehensive expertise in 
the interpretation of risk analysis results. 

The only tool suite that is as ambitious as NVT is 
CRAMM, the Central Computer and Telecommunica- 
tions Agency's (CCTA) Risk Analysis Management 
Methodology. CRAMM allows security assessments to 
be conducted in terms of security objectives (policy 
statements), security functions (countermeasures), or 
security examples (implementations). CRAMM is de- 
signed to be a comprehensive risk assessment system. 
As such, it is not designed for casual users, but for 
trained risk analysis experts with a high degree of exper- 
tise in the use and interpretation of CRAMM results. 

V. FUTURE RESEARCH 

The basic foundation of NVT provided valuable ex- 
perience in risk analysis tool integration and correlation 
technologies. Future research and development efforts 
will benefit from the use of the NVT prototype by Sys- 
tem Security Engineers. These uses will include apply- 
ing NVT to: 

• Identify vulnerabilities and enforce good security 
design principles 

• "Snapshot" a system and its vulnerabilities, and 
compare how risk evolves over the system lifecycle 

• Correlate information from various risk tools in an 
understandable graphical vulnerability analysis 

• Support hypothetical analysis, facilitating architec- 
ture choices among security, functionality, perform- 
ance, and availability 

• Provide rapid specification of the relevant character- 
istics of a system design 

Beyond the efforts conducted under the initial NVT 
Program, further research is need to improve the Fuzzy- 
Fusion™ used to combine outputs from various risk 
analysis tools into a unified report. In addition, we have 
identified new functionality to incorporate into the re- 
sults analysis, including: 

• Temporal Based Reasoning. Accounts for the time 
required to exploit a known vulnerability as part of 
the system assessment process. It enables an analyst 
to perform a vulnerability assessment that accom- 
modates the time required to exercise a given vul- 
nerability. For example, if the time that is required 
to compromise a given node is greater than the time- 
line for mission completion, then the threat is mini- 
mal. 

• Vulnerability Thresholding. Minimizes continued 
computation when an aggregate vulnerability level 
in a given system or segment exceeds a user defined 
limit, allowing the user to define his own vulnerabil- 



ity tolerance. It eliminates possibly computationally 
intensive search trees when a sufficiently lethal vul- 
nerability is located, or when a large number of vul- 
nerabilities are identified. It allows the user to de- 
fine his vulnerability tolerance level and supports 
configurable definitions of acceptable levels of vul- 
nerability. 

• Reasoning with uncertainty or incomplete data 
information. Provides the user with some answer, 
usually the best solution that is available with the in- 
formation available at a given moment in time. 

• Vulnerability trade-off visualization techniques. 
Allow the user to easily perform what-if analysis 
and experimentation among performance, function- 
ality, and countermeasures. It enables the user to 
readily understand the possible comparisons among 
desired capabilities. 

This functionality will allow NVT; to more accu- 
rately reflect the human decision making process. Fur- 
ther, it will support a more robust, systems orientation 
towards vulnerability analysis, accommodating consid- 
eration of application and platform vulnerabilities as well 
as conventional network vulnerabilities. 
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